ASUS RT-AC87U serial console is wide open!

[zerodegrekelvin]

Dear ASUS RT-AC87 fans,

I love this router, so hacker friendly, the serial console is wide open at J3, if you crack open the case, you can see at J3 all the pins are there, at first I thought it was a joke until I plug in my USB-TTL to those pins well marked TX/RX.

And yes I void the warranty by opening the router , at first it was only to use my infrared cam to see how hot the internal is...massive heatsink.

Set 115200 and you see everything from boot up to the linux prompt!!

To extract WPS pin and WPA2 key is a joke, 'nvram show | grep wps' and 'nvram show | grep wpa' and you will know what I mean, the same for admin password.

Worse, tftpd is on and you can put/get anything you want from /tmp , and it is not finish yet, there is a huge jffs2 available 61M at your disposition.

What more can I say, this time I just publish my findings, the last time I raise an vulnerability with ASUS, it took a month to get their attention, and probably because CERT center contacted them on my behalf.

Cheers.

@zerodegrekelvin

 

[W4RH34D]

Well, that is one way to look at it. The other way is that if you need that kind of security, you should physically restrict the device. Otherwise, serial connection is actually pretty cool!

The gui will give you that same information when logged in.

But I will keep those commands for my personal collection of admin stuff.

 

[john9527]

Lot's of equipment has an internal diagnostics port, including enterprise level equipment. So, now you are saying I should worry about someone sneaking in to where I physically keep the router, opening it up, and connecting a terminal emulator. Your first report was interesting....trying to make a big deal out of this is stretching things.

 

[Pierino]

The rt-n16, rt-n66, rt-ac66, rt-ac68 that I opened have all had the pins already soldered and labeled.

 

[john9527]

The rt-n16, rt-n66, rt-ac66, rt-ac68 that I opened have all had the pins already soldered and labeled.

And going back in time...I can remember connecting the serial port to un-brick a Linksys WRT54G and to recover a fw problem on SATA drives (yes, the SATA drive has a serial port too).

 

[sfx2000]

One needs physical access to the device, and needs to take it apart...

Asus probably should have removed the jumper pins perhaps, but nothing more there...

 

[Pierino]

I hope they never remove the pins. Saves me a step.

 

[sfx2000]

Now, if one were to take, perhaps an FTDI USB-Serial device, and use that to access, as the ASUS BSP support USB-Comm ports, that would be interesting to know what happens there

 

[sfx2000]

I hope they never remove the pins. Saves me a step.

In a couple of my designs, we left the pads, but didn't populate the jumpers - and to be clever, we inverted a couple of the GPIO pins (Hi is Low, so to speak), so depending how one did the jumpers, it could be Serial, JTAG, or Native USB

Mostly to keep the riff-raff out

sfx

 

[W4RH34D]

In a couple of my designs, we left the pads, but didn't populate the jumpers - and to be clever, we inverted a couple of the GPIO pins (Hi is Low, so to speak), so depending how one did the jumpers, it could be Serial, JTAG, or Native USB

Mostly to keep the riff-raff out

sfx

Exactly, you never know who you'll need to talk through working with a device in the future. Don't want to lock yourself out!

 

[zerodegrekelvin]

Lot's of equipment has an internal diagnostics port, including enterprise level equipment. So, now you are saying I should worry about someone sneaking in to where I physically keep the router, opening it up, and connecting a terminal emulator. Your first report was interesting....trying to make a big deal out of this is stretching things.

I work in the enterprise space, not home user, we do not use WPS, we do not expose the serial console unless needed, usually the serial port has some kind of CLI shell a-la-Cisco, the flash is encrypted, in this particular router the complete linux prompt is exposed, where you can basically capture the admin password, wps, wpa2 key, the whole file system, the kernel, the boot, the wireless driver, everything is exposed to the bare metal here my friend, so in my book this router is "unsecure"

 

[sfx2000]

I work in the enterprise space, not home user, we do not use WPS, we do not expose the serial console unless needed, usually the serial port has some kind of CLI shell a-la-Cisco, the flash is encrypted, in this particular router the complete linux prompt is exposed, where you can basically capture the admin password, wps, wpa2 key, the whole file system, the kernel, the boot, the wireless driver, everything is exposed to the bare metal here my friend, so in my book this router is "unsecure"

We should talk at some point - I think the key difference here is backgrounds, but we're not that much different..

sfx

 

[RMerlin]

This is a non-issue. Every single home router I ever opened had an internal serial port. They also all have some form of recovery mode through tftp.

As most security experts would tell you, once someone gets physical access to a device, all bets are off. Or else, you might start even calling the presence of soldered chips "a security risk", as one could either piggy-back, or desolder the flash to extract its content...

Removing the pins is not a security enhancement, it's a support nightmare. If you have the time to open the physical case, you also have the time to solder four wires to the pads. Or to just run away with the router, and have your way with it any way you see fit.

If you need a COMPLETELY locked down device, then use a locked down enterprise device, with tamper-proof casing and screws and something more secure than a Kensington lock to keep it in place, rather than a plastic cased router with Philips screws...

There's a balance to be reached between security and convenience. Otherwise, one would say that the fact that you can access a computer by typing the right password is a security risk - what if a hacker manages to enter the correct random password on his first few attempts?

Removing or locking down the serial port wouldn't enhance security, it would just royally piss off developers like myself.

 

[RMerlin]

To add further to this: if you really wanted something to be secure, the router shouldn't be allowed to run firmware code that wasn't signed by the manufacturer.

I'll let you reflect for 10 seconds what would be the reaction of the user base if tomorrow all manufacturers told them that, "for security reasons, you can no longer flash any third party firmware at all - all firmwares must be digitally signed by us."

Yeah, not gonna fly.

So, there has to be a compromise there, based on the expected usage scenario for a given device.

 

[wouterv]

I agree with Merlin.
We talk about relative cheap plastic cased home use routers.
The major concern for this kind of home use stuff, basically any consumer equipment that is designed to connect the Internet of Things, is how to keep it safe for unwanted remote access over the Internet.

To design a safe or safer firmware is one, to get the running firmware updated with the new version is two.
We, everyone reading those forums, is capable of upgrading firmware, or is at least aware of a possible need to upgrade.

The large majority of users of consumer products is not aware and most of them is not able to upgrade firmware (including e.g. my wife). They buy this sort of equipment like furniture: buy, enjoy and throw away at the end of life cycle.

What is the percentage of routers worldwide that is running "the latest" firmware? I guess it is 1%, where 99% is running the firmware as shipped.

Automatic firmware upgrade may be the key, with the option for "experienced" users to turn that off. Sofar automatic firmware upgrades are not really reliable and often require corrective actions by the end user.
When I look at Windows Update, that seems to be pretty reliable these days (much better then the days of W95 or NT 4.0).

 

[zerodegrekelvin]

We should talk at some point - I think the key difference here is backgrounds, but we're not that much different..

sfx

I just want to publish my findings in this forum as I saw you guys a bunch of wifi enthusiast and fan of ASUS, that is. I am not going to debate further.

For sure devttys0 does not have to deploy his cool tool 'binwalk' to extract the firmware from any file, because he can access to the whole system live for a developer this is a dream, all the kernel symbols are present.

Cheers.

 

[sfx2000]

To the OP - appreciate your comments and mindset - too many times, security is treated as something to do after the fact - it's not specific to Asus or DLink - many of the issues in the SOHO router space are issues included as part of the BSP from the SoC provider.

Once one gets into devices with embedded web servers, there plenty of reported issues with cross-site scripting vulnerabilities, poor practices with regards to "hidden" pages that can be leverage for privilege escalation, etc. etc. etc..

Another challenge is that due to the short development cycle, and pressure to get things on the market, there's really only about a year before the dev team has end-of-supported the software and has moved on to the next product - so vulnerabilities, whether it is in the vendor specific code, the BSP, or other software, these never get patched in the product, even though the upstream developer has fixed things.

As to the serial port concern - this is perhaps a low to medium concern, as one has to have physical access to the device, and disassemble it to even get to the jumpers. And once there, it's a console login... it's no different than any other box in this regards.

It's the little things though - attention to detail - if a vendor misses small items (like the WPS issue that was brought up), then it suggests, to a determined attacker, that there's other opportunities as well - security is something that needs to be designed in, rather than added on after the fact.

And it's not about secure bootloaders or signed code - most of the issues with SOHO devices like Router/AP's, NAS boxes, and media players, etc - things that we see, esp on home networks, is that security really isn't a priority for the engineering teams and product/business managers..

And user habits don't help much here either - it's way to easy for someone to port forward or place into a DMZ, a device with a shell login, on to the public internet..

Think about that - there's a great quote from "Serenity" -- "Key members of Parliament". Key. The minds behind every military, diplomatic and covert operation in the galaxy, and you put them in a room with a psychic.

By putting those services out there on the public internet - users are trusting that Asus, D-Link, Apple, Linksys, TP-Link, QNAP, Synology, etc... have the user's security in mind.

Trust me - they don't...

 

[sfx2000]

And don't get me started about how many folks are using VPN tunnels...

Creating a VPN tunnel assumes that trust is established - ON BOTH ENDS!!!

Because once you create that tunnel - yes, you can now get Netflix or watch media that one perhaps might not in your location, but VPN tunnels cut both ways - people on the other end of that VPN tunnel can get into your network as well because, perhaps unwittingly, you've established a trust relationship with the other end.

Think about that one...

Now think about that again - do you know and control what is on the other side of the VPN tunnel?

If not, then perhaps, one might not want to do that.

Like I said in my previous post above, the SOHO vendors are making it way to easy for people to make uninformed decisions on what they place onto the public internet...

 

[TonyH]

I hope they never remove the pins. Saves me a step.

Now there may be no more serial port in the future.

 

[W4RH34D]

Well I mean, common sense - randomly flipping these features on willy nilly is signing up for a bad time.

Bugs on the other hand, that's when I'm all ears because it's something that is "not supposed" to happen. Now that can end up being something cool, or downright catastrophic.